cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

ISE Identity Certificate.

graham.harper
Level 1
Level 1

Hi there,

Does anyone have any experience with Publicly signed ID certificates for ISE.

We are going to be deploying Guest Services via CWA. When a user connects to the portal they get a certificate error as the current ID certificates are only signed by our internal CA and nobody but internal users will have that CA installed.

I went to an external provider (Geotrust) and wanted to get a Public CA signed Certificate with the CN = guestportal.company.com and SAN fields of internalserver.company.local.lcl, Private IP of BOX and External IP of Box. I get this Error from Geotrust.

  • Certificates that expire      after November 1st, 2015 may not contain an internal server IP address or      server name. Please modify SAN entry to continue.

Researching further into this it seems that all Certificates being issued by Public CA’s need to abide by the following new rules.

“What is an Internal Name?

An internal name is a domain or IP address that is part of a private network. Common examples of internal names are:

    Any server name with a non-public domain name suffix. For example, www.contoso.local or server1.contoso.internal.

    NetBIOS names or short hostnames, anything without a public domain. For example, Web1, ExchCAS1, or Frodo.

    Any IPv4 address in the RFC 1918 range.

    Any IPv6 address in the RFC 4193 range.”

Has anyone got around this? Or will the guests just have to put up with the Certificate error? Also I'll have to change the PSN's hostname to the CN which has implications for it joining our internal active directory so not keen on that.

I've ready that LDAP might be my only solution which I am not really keen on see below.

https://supportforums.cisco.com/docs/DOC-37562

Who Me Too'd this topic